50 million Facebook accounts breached by access-token-harvesting attack
Facebook reset logins for millions of customers last night as it dealt with a data breach that may have exposed nearly 50 million accounts. The breach was caused by an exploit of three bugs in Facebook’s code that were introduced with the addition of a new video uploader in July of 2017. Facebook patched the vulnerabilities on Thursday, and it revoked access tokens for a total of 90 million users
In a call with press today, Facebook CEO Mark Zuckerberg said that the attack targeted the “view as” feature, “code that allowed people to see what other people were seeing when they viewed their profile,” Zuckerberg said. The attackers were able to use this feature, combined with the video uploader feature, to harvest access tokens. A surge in usage of the feature was detected on September 16, triggering the investigation that eventually discovered the breach.
“The attackers did try to query our APIs—but we do not yet know if any private information was exposed,” Zuckerberg said. The attackers used the profile retrieval API, which provides access to the information presented in a user’s profile page, but there’s no evidence yet that Facebook messages or other private data was viewed. No credit card data or other information was exposed, according to Facebook.
“This was the result of three distinct bugs,” said Guy Rosen, Facebook’s vice president of product management. “The first bug was that when using the ‘view as’ function, the video uploader shouldn’t have showed up at all.” But for certain types of posts on users’ timelines, such as prompts to post happy birthday greetings, the video uploader function was shown as active. The second bug was that when activated, the video uploader was generating a single sign-on token—a behavior that Rosen said was incorrect. And the third bug was that in the creation of that token, it was using the identity of the person the user was viewing the page as—not the user’s.
“We saw this attack being used at a fairly large scale,” Rosen said. “The attackers could get an access token, pivot to other accounts, and look up other users to get further access tokens.”
Those access tokens could be used, in theory, to launch applications and web sites that use the Facebook single sign on API, as well as to run queries against Facebook’s “Graph” database as the user. That would allow an attacker to extract profile data and other information from anything the user had access to in the database.
Facebook contacted the FBI and other law enforcement on Wednesday after identifying the nature of the attack. After turning off the “view as” feature and patching the other bugs, Facebook security then deauthorized all access tokens from the 50 million accounts that had been breached. They also deauthorized access tokens for another 40 million that had been accessed with the “view as” feature to ensure no other accounts were compromised.
While no evidence of further data access has been found, the investigation is still in its early stages, according to Zuckerberg and Rosen. They could not say yet whether specific types of users were targeted. Zuckerberg emphasized that Facebook was taking the breach seriously and that the company was aggressive in going after the breach. The CEO promised further details as the investigation went forward.
Regardless, the breach could do further damage to Facebook’s reputation as the company continues to attempt to regain public trust after a recent string of security and privacy issues. In addition to revelations about the misuse of Facebook user data by Cambridge Analytica during the run-up to the 2016 US presidential election, there have been questions about how Facebook itself uses customer data, including the discovery that Facebook had been routinely collecting full call logs and other data from some mobile users. Earlier this week, Facebook acknowledged that it provided phone numbers used for two-factor authentication to advertisers for the purpose of targeting users with advertisements. And Facebook’s Onavo virtual private network application was yanked from Apple’s App Store in August because it was being used by Facebook to collect data about users’ mobile application usage.